Apache-SSL memory disclosure

2008-04-03 / 2008-04-04
Risk: Low
Local: No
Remote: No
CWE: CWE-287


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

Folks, Following information/research provided by Alexander Klink, a new release is out, fixing a low priority security issue as detailed below. The release is on the primary Apache-SSL ftp server and should hit the mirrors over the next few hours, according to their schedules. See http://www.apache-ssl.org for mirrors. Advisory follows: ============================================ ||| Security Advisory AKLINK-SA-2008-005 ||| ||| CVE-2008-0555 (CVE candidate) ||| ============================================ Apache-SSL memory disclosure ============================ Date released: 02.04.2008 Date reported: 17.01.2008 $Revision: 1.1 $ by Alexander Klink Cynops GmbH a.klink (at) cynops (dot) de [email concealed] https://www.cynops.de/advisories/CVE-2008-0555.txt (S/MIME signed: https://www.cynops.de/advisories/CVE-2008-0555-signed.txt) https://www.klink.name/security/aklink-sa-2008-005-apache-ssl.txt http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0555 Vendor: Adam & Ben Laurie Product: Apache-SSL Website: http://www.apache-ssl.org Vulnerability: memory disclosure, potential privilege escalation in web applications Class: remote Status: patched Severity: low Releases known to be affected: apache_1.3.34+ssl_1.57 Releases known NOT to be affected: apache_1.3.41+ssl_1.59 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Background: Apache-SSL is a secure Webserver, based on Apache and SSLeay/OpenSSL. +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Overview: Apache-SSL provides environment variables that are filled with (client) certificate data. If the subject of a client certificate contains special characters, parts of these variables can be overwritten or be filled with other parts of memory. +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Technical details: The certificate DN as returned by the OpenSSL X509_NAME_online is passed into the following function: static void ExpandCert(pool *p,table *pEnv,char *szPrefix, char *szDN, char *szCert) { char buf[HUGE_STRING_LEN]; char *s,*t; /* Expand a X509_oneline entry into it's base components and register them as environment variables. Needed if you want to pass certificate information to CGI's. The naming convention SHOULD be fairly compatible with CGI's written for stronghold's certificate info - Q */ /* FIXME - strtok() and strcspn() may cause problems on some systems - Q */ ap_table_setn(pEnv,szDN,ap_pstrdup(p,szCert)); ap_cpystrn(buf,szCert,sizeof buf); for(s=strtok(buf,"/") ; s != NULL ; s=strtok(NULL,"/")) { int n=strcspn(s,"="); s[n]='\0'; StrUpper(s); t=ap_pstrcat(p,szPrefix,s,NULL); ap_table_setn(pEnv,t,ap_pstrdup(p,s+n+1)); } } The function assumes that the relative distinguished name does not contain a '/'. If a / is contained in for example the common name, strcspn(s,"=") returns the size of s, so s+n+1 points beyond the current token. Furthermore, environment variables can be overwritten by including '/' and '='. For example, to overwrite the OPENSSL_S_CLIENT_DN_OU variable, one could use a certificate with a CN of "/OU=Fake OU". If an application relies on this information to distinguish certificates into different authorization classes, it can be fooled this way. +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Communication: * 17.01.2008: Reported the bug to Ben Laurie * 17.01.2008: Ben replies and acknowledges the bug * 01.02.2008: Checking back with Ben on the status * 01.02.2008: Ben replies that he'll be looking into a patch over the weekend * 06.02.2008: Ben sends patch and asks for help with testing it * 07.02.2008: Reply with test results (still a small problem unrelated to the original issue) * 09.02.2008: Ben sends updated patch * 11.02.2008: Told Ben that patch works fine * 18.02.2008: Requested update * 18.02.2008: Ben replies that he'll deal with it in the next week or so * 27.02.2008: Requested update * 27.02.2008: Patch for Apache 1.3.41 is ready, but release is normally managed by Adam Laurie, who is on holiday till March, 11th * 28.02.2008: Agreed to wait for Adam to return * 12.03.2008: Ben informs Adam of the new release * 25.03.2008: Requested update * 25.03.2008: Ben replies, they are waiting for an updated advisory from me * 25.03.2008: Sent out updated advisory * 27.03.2008: Adam says sorry for the delays and that he will try to work on this while he is at "a conference in Amsterdam" * 01.04.2008: Coordination with Adam and Ben on a release +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Solution: Upgrade to apache_1.3.41+ssl_1.59. +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Credits: - Alexander Klink, Cynops GmbH (discovery) cheers, Adam -- Adam Laurie Tel: +44 (0) 1304 814800 The Bunker Secure Hosting Ltd. Fax: +44 (0) 1304 814899 Ash Radar Station Marshborough Road Sandwich mailto:adam (at) algroup.co (dot) uk [email concealed] Kent CT13 0PL UNITED KINGDOM PGP key on keyservers


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top